ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Chords Fetcher

v1.0.0

Fetch clean guitar chords and lyrics from popular sites (mychords.net, amdm.ru, ultimate-guitar.com). Strips tabs, fixes formatting.

0· 38·0 current·0 all-time
byFlo@flobo3
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included code: the script searches DuckDuckGo for three target chord sites and scrapes chord blocks. However, the search/filter logic contains a bug (see details) that can return non-target URLs despite the stated multi-site restriction, which is disproportionate to the claimed targeted-source behavior.
!
Instruction Scope
SKILL.md instructs the agent to run the bundled script (exec'ing a Python process). The script performs network activity: it queries DuckDuckGo and fetches the found URL contents. The SKILL.md does not explicitly warn about network access or recommend sandboxing. The code's intended domain restriction is undermined by a logic bug that may cause fetching of arbitrary URLs.
Install Mechanism
No install spec (instruction-only plus a code file). No external installers or archive downloads. Dependencies are Python packages (beautifulsoup4, ddgs) — expected for web scraping.
Credentials
The skill declares no environment variables, credentials, or config paths. The code also does not read env vars or local configs. Network access is required (expected for a web scraper) but not explicitly declared in SKILL.md.
Persistence & Privilege
Skill does not request permanent presence (always:false) and does not modify agent/system configuration. Autonomous invocation is allowed (platform default) but not itself a special privilege here.
What to consider before installing
What to consider before installing: - The code and instructions align with the stated purpose (searching and scraping chords), but there is a logic bug in search_chords that can return arbitrary URLs instead of only the target domains. That means the agent may fetch unexpected web pages (including internal network endpoints) if a search result contains them. - If you plan to run this skill, do so in a restricted environment (sandbox or network-restricted container) until you audit or patch the code. - Quick fix suggestions a reviewer or developer can apply before use: - Change the ultimate-guitar branch condition to require the expected host, e.g. use an AND check: if 'ultimate-guitar.com/tabs/' in href and 'ultimate-guitar.com/pro/' not in href (or better: parse the URL and assert the hostname equals the expected domain). - Prefer parsing the href hostname with urllib.parse to enforce an allow-list of hosts (mychords.net, amdm.ru, ultimate-guitar.com) rather than string containment checks. - Remove unused variables (query_clean) and add explicit checks that URLs start with http:// or https://. - Document and warn that the script performs outbound network requests and that running it could contact external sites. - If you cannot or will not run the code in a sandbox, do not install this skill. If you trust the environment and accept the network behavior, it is otherwise coherent with its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk979z3gw3c6njymsw4e1v30x35840ccm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments